Advantages and Disadvantages of the Two Security Implementations
At some point, you have to make a decision about the form of security that best suits your application. In many cases, you'll use both forms in the same application, because each has specific advantages. Here's a list of advantages for imperative security:
It doesn't appear in the application manifest, so it's harder for a cracker to discover the security measures you put in place.
You can't create dynamic security conditions using declarative securityimperative security is more flexible in this area.
Imperative security can be easier to use, because it relies on statements that are easy to debug.
Declarative security is also essential. In some cases, you can't perform a given security task without using declarative security. Here's a list of the primary declarative security advantages:
This form of security appears in the manifest, which is a requirement for using utilities such as the Permission View Tool that comes with Visual Studio .NET. The Permission View Tool can help you perform a security audit of your application.
This is the only method you can use to declare assembly level security, such as the requirement to validate code before using it.
Because declarative security always appears at the beginning of the application element, it's easier to find the security settings. That makes it a better option from a documentation perspective.
As you can see, declarative and imperative forms of security both have a place in your .NET security toolkit. There are times when just one choice is correct, but, plenty of times, it'll be a matter of your personal choice.